Sudo Stable Release

Current Version

The current stable version of sudo is 1.7.4.

For full details see the ChangeLog file or view the commit logs via mercurial.

Major changes between version 1.7.3 and 1.7.4:

  • Sudoedit will now preserve the file extension in the name of the temporary file being edited. The extension is used by some editors (such as emacs) to choose the editing mode.

  • Time stamp files have moved from /var/run/sudo to either /var/db/sudo, /var/lib/sudo or /var/adm/sudo. The directories are checked for existence in that order. This prevents users from receiving the sudo lecture every time the system reboots. Time stamp files older than the boot time are ignored on systems where it is possible to determine this.

  • Ancillary documentation (README files, LICENSE, etc) is now installed in a sudo documentation directory.

  • Sudo now recognizes "tls_cacert" as an alias for "tls_cacertfile" in ldap.conf.

  • Defaults settings that are tied to a user, host or command may now include the negation operator. For example: Defaults:!millert lecture will match any user but millert.

  • The default PATH environment variable, used when no PATH variable exists, now includes /usr/sbin and /sbin.

  • Sudo now uses polypkg (http://rc.quest.com/topics/polypkg/) for cross-platform packing.

  • On Linux, sudo will now restore the nproc resource limit before executing a command, unless the limit appears to have been modified by pam_limits. This avoids a problem with bash scripts that open more than 32 descriptors on SuSE Linux, where sysconf(_SC_CHILD_MAX) will return -1 when RLIMIT_NPROC is set to RLIMIT_UNLIMITED (-1).

  • Visudo will now treat an unrecognized Defaults entry as a parse error (sudo will warn but still run).

  • The HOME and MAIL environment variables are now reset based on the target user's password database entry when the env_reset sudoers option is enabled (which is the case in the default configuration). Users wishing to preserve the original values should use a sudoers entry like: 
    	Defaults env_keep += HOME
    to preserve the old value of HOME and 
    	Defaults env_keep += MAIL
    to preserve the old value of MAIL.

  • The tty_tickets option is now on by default.

  • Fixed a problem in the restoration of the AIX authdb registry setting.

  • If pam is in use, wait until the process has finished before closing the PAM session.

  • Fixed "sudo -i -u user" where user has no shell listed in the password database.

  • When logging I/O, sudo now handles pty read/write returning ENXIO, as seen on FreeBSD when the login session has been killed.

  • Sudo now performs I/O logging in the C locale. This avoids locale-related issues when parsing floating point numbers in the timing file.

  • Added support for Ubuntu-style admin flag dot files.

Major changes between version 1.7.2p8 and 1.7.3:

  • Support for logging a command's input and output as well as the ability to replay sessions. For more information, see the documentation for the log_input and log_output Defaults options in the sudoers manual. Also see the sudoreplay manual for information on replaying I/O log sessions.

  • The use_pty sudoers option can be used to force a command to be run in a pseudo-pty, even when I/O logging is not enabled.

  • On some systems, sudo can now detect when a user has logged out and back in again when tty-based time stamps are in use. Supported systems include Solaris systems with the devices file system, Mac OS X, and Linux systems with the devpts filesystem (pseudo-ttys only).

  • On AIX systems, the registry setting in /etc/security/user is now taken into account when looking up users and groups. Sudo now applies the correct the user and group ids when running a command as a user whose account details come from a different source (e.g. LDAP or DCE vs. local files).

  • Support for multiple sudoers_base and uri entries in ldap.conf. When multiple entries are listed, sudo will try each one in the order in which they are specified.

  • Sudo's SELinux support should now function correctly when running commands as a non-root user and when one of stdin, stdout or stderr is not a terminal.

  • Sudo will now use the Linux audit system with configure with the --with-linux-audit flag.

  • Sudo now uses mbr_check_membership() on systems that support it to determine group membership. Currently, only Darwin (Mac OS X) supports this.

  • When the tty_tickets sudoers option is enabled but there is no terminal device, sudo will no longer use or create a tty-based ticket file. Previously, sudo would use a tty name of "unknown". As a consequence, if a user has no terminal device, sudo will now always prompt for a password.

  • The passwd_timeout and timestamp_timeout options may now be specified as floating point numbers for more granular timeout values.

  • Negating the fqdn option in sudoers now works correctly when sudo is configured with the --with-fqdn option. In previous versions of sudo the fqdn was set before sudoers was parsed.

Major changes between version 1.7.2p7 and 1.7.2p8:

  • Fixed a crash on AIX when LDAP support is in use.

  • Fixed problems with the QAS non-Unix group support.

Major changes between version 1.7.2p6 and 1.7.2p7:

  • Fix detection of newer versions of OpenPAM.

  • Sync non-Unix group support with Quest sudo git repo.

  • Configure fixes: HP-UX ld uses +b instead of -R or -rpath; fix typo in --with-vasgroups check; link with -ldl for vasgroups; add missing template for ENV_DEBUG.

  • Fix typos in README.LDAP.

  • Use the value of SHELL from configure in the Makefile.

  • Handle duplicate variables in the environment. For unsetenv(), keep looking even after remove the first instance. For sudo_putenv(), check for and remove dupes after we replace an existing value.

  • Fix a crash in visudo when checking a sudoers file that has aliases that reference themselves.

  • Fix a crash in visudo when checking a sudoers file in strict mode when alias errors are present.

Major changes between version 1.7.2p5 and 1.7.2p6:

  • When doing a glob match, short circuit if gl_pathc is 0.

  • Fix a bug introduced with def_closefrom. The value of def_closefrom already includes the +1.

  • Added a note about the security implications of the fast_glob sudoers option.

  • Qualify the command even if it is in the current working directory, e.g. "./foo" instead of just returning "foo". This removes an ambiguity between real commands and possible pseudo-commands in command matching.

  • Fix installation of sudoers.ldap in "make install" when --with-ldap was specified without a directory.

Major changes between version 1.7.2p4 and 1.7.2p5:

  • Fix size arg when realloc()ing include stack.

  • Avoid a duplicate fclose() of the sudoers file.

Major changes between version 1.7.2p3 and 1.7.2p4:

  • Fix a bug that could allow users with permission to run sudoedit to run arbitrary commands.

Major changes between version 1.7.2p2 and 1.7.2p3:

  • Fix printing of entries with multiple host entries on a single line.

  • Fix use after free when sending error messages via email.

  • Use setrlimit64(), if available, instead of setrlimit() when setting AIX resource limits since rlim_t is 32bits.

Major changes between version 1.7.2p1 and 1.7.2p2:

  • Fixed a a bug where the negation operator in a Cmnd_List was not being honored.

  • No longer produce a parse error when #includedir references a directory that contains no valid filenames.

  • The sudo.man.pl and sudoers.man.pl files are now included in the distribution for people who wish to regenerate the man pages.

  • Fixed the emulation of krb5_get_init_creds_opt_alloc() for MIT kerberos.

  • When authenticating via PAM, set PAM_RUSER and PAM_RHOST early so they can be used during authentication.

Major changes between version 1.7.2 and 1.7.2p1:

  • Fixed the expansion of the %h escape in #include file names introduced in sudo 1.7.1.

Major changes between version 1.7.1 and 1.7.2:

  • A new #includedir directive is available in sudoers. This can be used to implement an /etc/sudo.d directory. Files in an includedir are not edited by visudo unless they contain a syntax error.

  • The -g option did not work properly when only setting the group (and not the user). Also, in -l mode the wrong user was displayed for sudoers entries where only the group was allowed to be set.

  • Fixed a problem with the alias checking in visudo which could prevent visudo from exiting.

  • Sudo will now correctly parse the shell-style /etc/environment file format used by pam_env on Linux.

  • When doing password and group database lookups, sudo will only cache an entry by name or by id, depending on how the entry was looked up. Previously, sudo would cache by both name and id from a single lookup, but this breaks sites that have multiple password or group database names that map to the same uid or gid.

  • User and group names in sudoers may now be enclosed in double quotes to avoid having to escape special characters.

  • BSM audit fixes when changing to a non-root uid.

  • Experimental non-Unix group support. Currently only works with Quest Authorization Services and allows Active Directory groups fixes for Minix-3.

  • For Netscape/Mozilla-derived LDAP SDKs the certificate and key paths may be specified as a directory or a file. However, version 5.0 of the SDK only appears to support using a directory (despite documentation to the contrary). If SSL client initialization fails and the certificate or key paths look like they could be default file name, strip off the last path element and try again.

  • A setenv() compatibility fix for Linux systems, where a NULL value is treated the same as an empty string and the variable name is checked against the NULL pointer.

Major changes between version 1.7.0 and 1.7.1:

  • Fixed a bug in the version of glob() supplied with sudo that affected character classes and ranges.

  • Fixed a NULL pointer dereference when the sudoers file mode or owner was incorrect.

  • Fixed a NULL pointer dereference when a PAM module called the sudo conversation function during a phase other than authentication.

  • Fixed an LDAP compatibility problem with the AIX LDAP libraries.

  • A new Defaults option "pwfeedback" will cause sudo to provide visual feedback when the user is entering a password.

  • A new Defaults option "fast_glob" will cause sudo to use the fnmatch() function for file name globbing instead of glob(). When this option is enabled, sudo will not check the file system when expanding wildcards. This is faster but a side effect is that relative paths with wildcard will no longer work.

  • New BSM audit support for systems that support it such as FreeBSD and Mac OS X.

  • The file name specified with the #include directive may now include a %h escape which is expanded to the short form of hostname.

  • The -k flag may now be specified along with a command, causing the user's timestamp file to be ignored.

  • New support for Tivoli-based LDAP START_TLS, present in AIX.

  • New support for /etc/netsvc.conf on AIX.

  • The unused alias checks in visudo now handle the case of an alias referring to another alias.

  • A new Defaults option "umask_override" will cause sudo to set the umask specified in sudoers even if it is more permissive than the invoking user's umask.

Major changes between version 1.6.9p19 and 1.7.0:

  • Rewritten parser that converts sudoers into a set of data structures. This eliminates a number of ordering issues and makes it possible to apply sudoers Defaults entries before searching for the command. It also adds support for per-command Defaults specifications.

  • Sudoers now supports a #include facility to allow the inclusion of other sudoers-format files.

  • Sudo's -l (list) flag has been enhanced:
    • applicable Defaults options are now listed
    • a command argument can be specified for testing whether a user may run a specific command.
    • a new -U flag can be used in conjunction with sudo -l to allow root (or a user with sudo ALL) to list another user's privileges.

  • A new -g flag has been added to allow the user to specify a primary group to run the command as. The sudoers syntax has been extended to include a group section in the Runas specification.

  • A uid may now be used anywhere a username is valid.

  • The secure_path run-time Defaults option has been restored.

  • Password and group data is now cached for fast lookups.

  • The file descriptor at which sudo starts closing all open files is now configurable via sudoers and, optionally, the command line.

  • visudo will now warn about aliases that are defined but not used.

  • The -i and -s command line flags now take an optional command to be run via the shell. Previously, the argument was passed to the shell as a script to run.

  • Improved LDAP support. SASL authentication may now be used in conjunction when connecting to an LDAP server. The krb5_ccname parameter in ldap.conf may be used to enable Kerberos.

  • Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf to specify the sudoers order. E.g.: 
    	    sudoers: ldap files
    to check LDAP, then /etc/sudoers. The default is files, even when LDAP support is compiled in. This differs from sudo 1.6 where LDAP was always consulted first.

  • Support for /etc/environment on AIX and Linux. If sudo is run with the -i flag, the contents of /etc/environment are used to populate the new environment that is passed to the command being run.

  • Sudo now ignores user .ldaprc files as well as system LDAP defaults. All LDAP configuration is now in /etc/ldap.conf (or whichever file was specified by configure's --with-ldap-conf-file option). If you are using TLS, you may now need to specify: 
    	    tls_checkpeer no
    in sudo's ldap.conf unless ldap.conf references a valid certificate authority file(s).

  • If no terminal is available or if the new -A flag is specified, sudo will use a helper program to read the password if one is configured. Typically, this is a graphical password prompter such as ssh-askpass.

  • A new Defaults option, "mailfrom" that sets the value of the "From:" field in the warning/error mail. If unspecified, the login name of the invoking user is used.

  • Resource limits are now set to the default value for the user the command is being run as on AIX systems.

  • A new Defaults option, "env_file" that refers to a file containing environment variables to be set in the command being run.

  • A new -n flag is available which may be used to indicate that sudo should not prompt the user for a password and, instead, exit with an error if authentication is required.

  • A new Defaults option, "sudoers_locale" that can be used to set the locale to be used when parsing the sudoers file.

  • sudoedit now checks the EDITOR and VISUAL environment variables to make sure sudoedit is not re-invoking itself (or sudo). This allows one to set EDITOR to sudoedit without getting into an infinite loop for programs that need to invoke an editor such as crontab(1). Also added SUDO_EDITOR environment variable which is used by sudoedit in preference to EDITOR/VISUAL.

  • The versions of glob(3) and fnmatch(3) bundled with sudo now support POSIX character classes.

  • If sudo needs to prompt for a password and it is unable to disable echo (and no askpass program is defined), it will refuse to run unless the "visiblepw" Defaults option has been specified.

  • Prior to version 1.7.0, hitting enter/return at the Password: prompt would exit sudo. In sudo 1.7.0 and beyond, this is treated as an empty password. To exit sudo, the user must now press ^C or ^D at the prompt.